A characterization of a class of maximum 
nonlinear functions 

Doreen Hertel and Alexander Pott 
Institute for Algebra and Geometry 
Otto-von-Guericke-University Magdeburg 
D-39016 Magdeburg 

February 2, 2008 

Abstract 

Maximum nonlinear functions F : F 2 m — > F 2 m are widely used in 
cryptography because the coordinate functions Fp(x) := tr((3F(x)), (5 G 
F 2m , have large distance to linear functions. More precisely, the Ham- 
ming distance to the characteristic functions of hyperplanes is large. One 
class of maximum nonlinear functions are the Gold power functions x 2 , 
gcd(fc,m) = 1. We characterize these functions in terms of the distance 
of their coordinate functions to characteristic functions of subspaces of 
codimension 2 in F 2 m. 
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1 Introduction 



The finite field with 2 m elements is denoted by F 2 m. The multiplicative group 
of the field is denoted by F 2m . We may also view F 2 m as an m-dimensional 
vector space over F 2 . The trace function is the linear mapping tr : F 2 m — > F 2 
defined by tr(x) = X^o 1 x2 ' '• ^ ^ s we ^ known that the mappings tr@ defined 
by trp(%) = tr((3x) are linear, again, and all 2 m linear mappings F 2 m — > F 2 can 
be represented like this. The reader is referred to ^H] for background from the 
theory of finite fields. 

The Hamming distance between two boolean functions /, g : F 2 m — > F 2 is the 
number of elements x G F 2 m such that f(x) 7^ g(x). The distance d between / 



1 



and the linear function tr 1 is 2 m 1 — y, where 



E 



£v = 



This is easily seen since t 7 = 2 m — 2d. The distance d to the affine function 
x i — * tr 7 (s) + 1 is 2™" 1 + y (now -t 7 = 2 m - 2d). We say that / is highly 
nonlinear if the smallest distance to all (affine) linear functions is very high. In 
other words, the maximum value of t 7 (where 7 6 F2»™) is small. We denote the 
maximum value for |t 7 | the linearity of /: 



(2) £(/) := max 



It is well known that 

(3) C(f) > 2f 

where equality may occur (of course, only for m even), see [5], for instance. A 
function / satisfying £(/) = 2^" is called a bent function. They exist for every 
even m, see [3]. Bent functions are basically the same objects as certain difference 
sets, see ^3] and p. Note that £(/) = 2 m if / is linear or affine. 

Many authors formulate this problem in a slightly different (though equivalent) 
way: They define the nonlinearity of / to be 

(4) M(f) ■= 2" 1 " 1 - \c{f). 

This number is the smallest Hamming distance between / and the set of all 
(affine) linear functions tr{^x) and tr{pfx) + 1 (which is called the 1st order Reed- 
Muller code). The number N(f) is the so called covering radius of this code. 

The goal is to maximize M{f). This maximum is known precisely only in the 
case m even, hence the covering radius problem is solved if m is even. If m is 
odd, the problem seems to be much harder. 

The numbers t 7 are sometimes called the Walsh coefficients W/(7). If f(x) = 
x d , we simply write W<f(7). In this paper, we do not need the full power of the 
Walsh transformation, therefore we just refer to the literature for more informa- 
tion about this important concept, see jHj, for instance. However, we use the 
notation Y\?d{l) to denote (J!} for the power mapping x d . Moreover we mention 
that the function / is uniquely determined by its Walsh spectrum 

{W/( 7 ) : 7 G F 2 ™}. 

This also holds if / : — > C is a complex-valued function, and we define 

W/(7) := E Z(*)(-l) tr(7X) - 
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We may interprete the integers Wdi'j) also in terms of the intersection between 
certain sets. First of all note that any function / : F 2 m — > F 2 defines a subset Df 
of F 2 ™ : 

D f := {x E F 2 ™ : f(x) = 1}. 
Vice versa, every subset gives rise to a mapping F 2 m — > F 2 . 

Specifically, we define for d with gcd(<i, 2 m — 1) = 1: 

D d := {x e F 2 ™ : tr(x d ) = 1} 
H°(a) = {xe F 2m : tr(ax) = 0} 
H\a) = {x e F 2m : tr(ax) = 1}. 

If a ^ 0, the sets H°(a) and H 1 ( <y) are subspaces of codimension 1 in F 2 m 
(hyperplanes), i.e. they have size 2 m ~ 1 . Therefore, we obtain for a^O 

W d (a) = 2 m -2(\D d nH°(a)\ + \(¥ 2m \D d )n(¥ 2m \H°(a))\) 

(5) = 2 m -4| J D d n#°(a)| 

and 

(6) -W d (a) = 2 m -A\D d nH 1 (a)\. 
Since \D d \ = 2 m ~ l we have W d (0) = 0. 

Now we turn our attention to vectorial functions F : F 2 m —> F 2 m. 

Let F : F 2 m — > F 2 m be arbitrary. We consider the coordinate functions 
Fp(x) := tr(/3 ■ F(x)) from F 2 m to F 2 . The smallest nonlinearity of all nonzero 
coordinate functions of F is called, similar to the boolean case, the nonlinearity 
of F: 



X(F) = min Af(Fp) 

P tlr 2m 



Similarly, the linearity is 



C{F) = max C(F P ) 



max 



^_ 1 -jtr( 7 - a ;+/3-F(x)) 



and the connection between theses two numbers is, like in (£Q), 
(7) J\f(F) = - \c{F). 

Similar to the case of boolean functions /, we have a (rather easy to prove) lower 
bound 

_ , . m+1 

C(F) > 2 = 



3 



where equality may occur if m is odd, see again [S], for instance. Functions with 
C(F) = 2~^~ are called maximum nonlinear or almost bent. In this case, we 
know the linearities of all the coordinate functions: 

(8) |(-l) M7X+mx)) | G{0,±2^}, 

see jS], again. Also the multiplicities are known. The following table shows how 
often the sum in (JHJ) (for a fixed (3 7^ 0) takes the three different values: 

value in (jHJ) multiplicity 



im-l 





(9) 2 ^±i 2m _, ± r 



_ 2 2±1 2m _2 T2 -3 



More precisely, if tr((3F(Q)) = then 2 2 occurs 2 m 2 + 2 2 times, otherwise 
it occurs 2 m ~ 2 — 2~^~ times. 



Let k be an integer with gcd(k,m) = 1 Then the mappings F 2 m — > F 2 ™ defined 
by 

2 k +l 2 2k -2 k +l 

x or x 

are maximum nonlinear. The first examples are called the Gold power mappings, 
see |H], the second class of mappings are the Kasami power mappings, see [Hj. 

There are two more classes of maximum nonlinear functions known (Welch and 
Niho case), and they are also power mappings x d . They have been proved to be 
maximum nonlinear only recently, see [3] and [TTj . 

If gcd(/c, m) 7^ 1 or if m is even, the linearities of the power mappings x 2k+1 and 
x 2 ~ 2 +1 are also known, provided that gcd(<i, 2 m — 1) = 1, see jH]. 

It is interesting to know that, up to now, all maximum nonlinear mappings can be 
constructed from these four classes. As usual, functions that can be constructed 
from each other using some specified procedure are called equivalent. In the 
case of functions, there are different ways to define equivalence. A nice way to 
unify these is contained in ^j. We refer the reader to [2] where it is shown that 
the equivalence described in j3] is indeed more general than the classical afline 
equivalence. When we say that all known maximum nonlinear functions can be 
constructed from each other, we do not mean that they are all affine equivalent, 
but that they can be constructed from each other according to Proposition 3 in 
jU, see 0. 

In this paper we consider maximum nonlinear power functions x d . Perhaps, this 
class contains more mappings than just described. In view of the connection 
between the Walsh coefficients of tr(/3x d ) and the intersection between Dd and 
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H l (a) in (J3J) and (jBJ), we obtain the following intersection numbers between H°(a) 
a E F 2 * m , and D d : 

\D d r\H°(a)\ multiplicity 

nm— 2 

(10) 



)m-l 



2 m— 2 
2 m ~ 2 



2^ 
2^ 



yrn~ 2 



2 m-2 _ 2 ^ 



2^ 



In this paper, we consider the intersection between Dd and subspaces of codi- 
mension 2. We can characterize the Gold power mappings in terms of these 
intersection sizes. 

If F is a maximum nonlinear power mapping x d , then one can show that x d has 
to be a permutation, i.e. gcd(rf, 2 m — 1) = 1. It seems that this argument did 
not yet appear in the literature. It is actually due to Dobbertin, and it will 
appear in jT^j. The proof uses the fact that any maximum nonlinear mapping 
is an almost perfect nonlinear function. We emphasize that not all maximum 
nonlinear functions are bijective: Just by adding a suitable linear function ax 
one gets nonbijective functions. 

In the case of power mappings with gcd(<i, 2 m — 1) = 1, the computation of the 
(non)linearity simplifies. In (jll|) . put (3 = t] d which is possible since gcd(rf, 2 m — 
1) = 1. In (|12|). we replace 7 by a?]. Finally in (|T3j) we note that r\x runs trough 
F 2 m if x does: 



(11) 
(12) 

(13) 



C(x d ) 



max 

7,/3eF 2 m,/3^0 



max 



max 



^_^yr(-y-x+/3-x d ) 



zeF 



^_iyr{f-x+( V -x) d ) 
^ ^ ^ -^y.r(ari-x+(ri-x) d ) 



x£F 2 



max 

a£F2m 



E(-d 



tr(ax+:r <i ) 



xGFo 



Note that 
(14) 



E 

x€F 2 ™ 



\tr(ax+i: c ') 



Em: 



This observation implies some connections between the linearity of power map- 
pings and the crosscorrelation between m-sequences and their decimations, as we 
will describe next. 
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Binary Sequences a = (a;)j>o (aj G {0, 1}) are called periodic with period n if 
a, = aj +n for all i. The autocorrelation of a binary sequence a with period n 
is defined by 

n-1 

c t (a) := 

The integer t is called a phase shift of the sequence a. Since the sequence is 
n-periodic, we may compute the indices modulo n. 

A sequence with n odd and c t (a) = — 1 for all 1 < t < n — 1 is called perfect, 
see ^2] for more background on perfect sequences. 



Let C be a primitive element of F 2 ™. The sequences a = (<2j) with a« = tr(( l ) 
are called m-sequences. They have period 2 m — 1 and they are perfect. Other 
classes of perfect sequences are known. We refer the reader to the chapter on 
difference sets in since perfect sequences correspond to a certain class of cyclic 
difference sets, see also 



Similarly to the autocorrelation, we define the crosscorrelation between two 
binary sequences a and b of period n by 



n-1 



ct(a,b) := ^(-1)^+*. 



i=0 



Finally, we define the d-decimation a' rf ' of an n-periodic sequence a = (a,j) by 
a| d ' := aid- Note that is an m-sequence corresponding to the primitive element 
( d if a is the m-sequence defined by := tr(( l ) and gcd(<i, 2 m — 1) = 1. 



If ( is a primitive element of F 2 m, we may reformulate the righthand side of (J14)) : 

2 m -2 2 m -2 
xGF* m i=0 i=0 

(define t by a = This shows that the linearity of the power mapping x d is 
the same as —1 plus the maximum crosscorrelation value between an m-sequence 
and its <i-decimation. 



2 Main Theorem 

Theorem 1 Let m be odd and let x d be a maximum nonlinear power function 
on F 2 m . Let 

H hj (a, (3) := {x : tr(ax) = i, tr(f3x) = j}. 
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Then d = 2 k + 1 for some integer k with gcd(fc, m) = 1 (i.e. d is a Gold exponent) 
if and only if 

(15) \H lJ {a,{3) r\D d \ G {2 m - 3 ,2 m - 3 ±2^} 
for all a, (3 G F 2m , a ^ (3, and i,j G F 2 . 

The sets H l ^(a,/3), a ^ (3, a, (3 G Fgm, are precisely the subspaces of dimension 
m — 2 in F 2 ™. The set D d has some interesting properties. It is the set of 2 m_1 
points in the m-dimensional vector space F 2 m over F 2 . If d is a Gold exponent, 
this set is a non-degenerate quadric, see [5], for instance. If m is odd, there is 
up to equivalence only one non-degenerate quadric in F 2 ™, and the intersection 
between this quadric and subspaces of codimension 2 must be the three values 
described in (|15|) . This is well known to geometers, see [TO], for instance. It 
follows from |7j that the only quadrics corresponding to the coordinate functions 
of maximum nonlinear power mappings are nondegenerate: In jjj, the intersection 
sizes between quadrics Q and hyperplanes are determined whenever \Q\ — 2 m ~ 1 . 
This applies to the situation of maximum nonlinear power mappings x d and m 
odd, since in this case \Dj\ = 2 m ~ 1 (because x d is bijective). It turns out that 
the intersection sizes in El occur only in the nondegenerate case. 

It is natural to ask whether there are values d such that Dd is not a nondegener- 
ate quadric but has the same intersection sizes with hyperplanes. These objects 
are called by geometers quasi-quadrics. Many examples of quasi-quadrics are 
known, see j^j, for instance. Note that all maximum nonlinear power mappings 
yield quasi-quadrics. Our research was motivated by the question whether the 
quasi-quadrics constructed from maximum nonlinear functions may also behave 
like quadrics if the intersection sizes with subspaces of codimension 2 are consid- 
ered. The answer, given by Theorem is no. 

An interesting corollary is the following: 

Corollary 2 The only maximum nonlinear power mappings x d on F 2 m such that 
D d is a quadric are the Gold power mappings. 

Before we are going to prove our Theorem, let us mention the following Proposi- 
tion which may be of interest in its own: 

Proposition 3 Let x d be a maximum nonlinear power mapping on F 2 m with 
gcd(d,m) = l. Then 

(16) | H iJ (a, (3)nD d \e {2 m ~ 3 + h ■ 2^ : -3 < h < 3}, 
where a, (3 G F 2m; (3. 
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Proof. We define 

S^ j (a,p) = \H i ' j (a,p)nD d \ 

and 

S\ a ) = \IP(a)nD d \. 
Assume a ^ (3, a,/3 G F^m. We obtain 

\W d (a + P)\ = \ J2 (-l) tr(ax+px+xd) \ 

_ | (_ 1 yr(c eB +i+l3x+j+* d )\ 

= 2 m - 2(3 • 2 m ~ l - 2S\a) - 2S j (/3) - 2 ■ 2 m ~ 2 + AS iJ (a, (3)) 
= -2 m + AS\a) + 4S'(J3) - 8S ij '(a, /3). 

Because of (j3J and ©, we have 

\W d (a + (3)\ = 2 m ± W d (a) ± W d (/3) - 83^ (a, /?)), 

hence 

(17) S^( a , /?) = 2 m " 3 ± ^(±W d (a + /?) ± W d (a) ± W d (P)). 

o 

This shows that there are only the seven possible values for S IJ '(a,/3) stated in 
the Proposition. □ 

The proof of Theorem ^ reduces to the proof of an interesting property of the 
trace function. This Theorem has been independently obtained by Ph. Langevin 
and P. Veron ^3]. The proof given in their paper is different from ours. The 
Langevin- Veeron proof is shorter and more elegant, though less elementary. 

Theorem 0] is not true in the case m even. For instance, if we take m = 8 and 
d = 51, then tr(x d + (x + l) d + 1) = for all x G F 2 s. This example can 
be extracted from the proof, since line (8) of the following algorithm does not 
produce the desired element w if m is even. Note that gcd(51, 2 8 — 1) ^ 1. If we 
restrict ourselves to the case gcd(d, 2 m — 1) = 1, Theorem 0] remains true also if 
m is even, see Lemma 2 in [T3*] . 

Theorem 4 Let m be odd and d G {2, 2 m — 2} odd. We have 

tr(x d + (x + l) d + 1) = 
for all x G F2™, if and only if d = 2 k + 1 for one fceN. 

We postpone the proof of Theorem 0] to the next Section. We are now going to 
show that it is sufficient to prove Theorem 0] in order to check Theorem 
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Let x d be a maximum nonlinear power function on F2™, hence the Walsh spectrum 
{Wd(a;)|a G F2m} contains only the three value ±2^~~ and 0. We define the 
function b : ¥3™ — > ¥2 by 



b{a) 



1 ifW d (a)^0 
otherwise. 



If all or precisely one of the values W^a), Wd(«) and Wd(a) in equation (JTTj) 
are ^ 0, it is impossible that S^ J {a,(3) G {2 m " 3 , 2 m " 3 ± 2^}. Therefore, b(a) + 
b{P) = b(a + (3) , hence b is linear and therefore 

b(x) = tri^x) (= tr 7 (x)) 

for some 7 G Fgm. If we think of tr(x) as an elment in C, we obtain 

W(tr 7 )(w) = tr ( 7X ) ' (-l)' r(a;x) 

x£F2m ,tr(7(x))=l 

-2™" 1 ifcj = 7 
2 m ~! if = 
otherwise. 

On the other hand, the function b satisfies 



6 ( a? ) = a^rtw-W] 2 - 



We compute the Walsh transform again: 

W(6)(w) = £ i(^W) 2 (-l) frW 



2' 



^_^^tr(a;(j/+«+w)+(» d +« d )) 



2 

z,y,2GF 2 



1 ^ (_;Q*Ki/ <i +* <i ) ^ ^_ 1 ^tr( a; (s/+ 2 +^)) 



2 

y,zgF2m a:GF2 



2 m if z = u + y 
otherwise 



_ _ (_iyr(y d +(v+u) d ) 

yeW 2 m 

We compare this with (fT%|) and obtain 

( -2 m if w = 7 

(19) (_ 1 )M/+(^) d ) = J 2 m ifw = 

yeF 2 m otherwise. 



The case u = 7 implies 

(20) tr(y d +(y + j) d ) = 1 for all t/6F r . 
We can show that necessarily 7 = 1: 

tr((y + j) d ) # tr(y d ) + l 
= tr(y 2ld ) + l 

^ tr((/ + 7) d ) 
= ^((^ + 7^?) 

for all I = 0,...,m — 1 and y G F 2 m. Suppose, that 7 7^ 7 2 for some fc G N, 
then tr(y d +(y + l 2k ) d ) = tr(y d + (y + 1 ) d ) = 1, thus (-1)*V+(v+7 2 V) = 

S 2/ eF 2 m ( — l)* r ^ + ^ +7 ^ = — 2 m . This is a contradiction to the uniqueness of 7. 
Thus we have ■y 2 ' = 7 for all I = 0, m — 1, and therefore 7=1. 

Since m is odd we have tr(l) = 1. Therefore 

(21) tr(2/ d + (2/ + + 1) = 

for all y G F 2 m. This shows that it is enough to prove Theorem 0] 



3 Proof of Theorem HI 

If d satisfies fl23J, then each d' € D with D := { Td mod (2 m - 1) : i = 0, m - 
1 } also satisfies (j21j) . We choose the smallest odd d' in Z), and from now on, we 
denote this element by d. 

Let w(a) be the binary weight of a. If a = Y^=o * s t ne binary representation 
of a, we denote the vector (z n , . . . ,z ) by a. We have Y^i=o z i = w(a). In the 
following proof, all integers a that occur are < 2 m — 1, i.e. o is a vector of 
length at most m. By adding 0's, if necessary, we assume that a is always a 
vector of length m. Let v = (v m -i, ...,vq) be a vector of length m. We denote 
by the cyclic shift of the vector v about t positions to the left, i.e. v^> = 

(V m -t-l, V , ...,V m - t ). 

Let d! = 2 l d mod (2 m — 1), then d! = d^\ in particular w(d') = w(d). 
We define the polynomial p by 

p[x) := x d + (x+l) d + l 
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and q by 



m—l 



q(x) := tr(p(x)) = ^0(x)) 2 \ 



i=0 



We have g(0) = 0, therefore we have to show that 
(22) q(a) = for all a E F* m . 

Let T — {ti, . . . , t n } denote the set of exponents which occur in p. We define the 
set 

T(t) = { < s < 2 m - 2 : = t, i = 0, . . . , m - 1}. 

We obtain 

q{x) = xS - 

t£T seT(t) 

In order to prove (|22j) . we have to show that every exponent occurs an even 
number of times in q(x). 

Let d = (z m _i, . . . , zq) be the binary vector corresponding to d. Since d is odd, we 
have w(d) ^ 1. If d = 2 k + 1 is a Gold exponent, then = 2 and q(x) satisfies 
(note that p(x) = x 2 + x in this case). Hence we may assume w(d) > 3. 



If w(<i) = 3, then d = 2 h + 2 l + 1 and k > I > 0. For the polynomials p and g we 
obtain 

/ \ 2 k +2' i 2 fe +l i 2'+l i 2 fe i 2 ; i 

p[x) = X +X +X^+X + X + X 

m—l 

q(x) = ^((x 2fc+2i ) 21 + (x 2fc+1 ) 2I + (x 2i+1 ) 2l +x 2 



i=0 



In p(x), the exponents of binary weight 1 (resp. 2) occur three times, therefore 
we have an odd number of exponents of weight 1 (resp. 2) in q(x), and therefore 
q(x) cannot satisfy (|22|). This argument can be generalized: If z = w(d) then 
there are precisely m exponents t in p(rr) with w(t) — i, 1 < t < d — 1. Note 
that rc^ and 1 do not occur in p(x). If z is not a power of 2, at least one of these 
binomial coefficients is odd. Therefore, we only have to consider the case z = 2 n , 
n > 1. 

Let v be a binary vector of length m. A subvector w = (w m -i, ...,wq) of v is a 
binary vector w ^ 0, f of length m such that V{ = implies = 0. The set of 
all subvectors of d is the set of the binary vectors of the exponents that occur in 
p(x). In order to show that (J22)) holds, we have to prove that the cardinality of 
the multiset 

S(s) := {s {i) : s (i) subvector of J, < % < m - 1} 
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is even for all s G T. Note that it is possible that sW = S U) f or { ^ j. 

We define a gap to be a substring v of the form 0...0. The number s of O's in this 
substring is called the length of the gap, similarly for runs which are substrings of 
the form 1...1. More precisely: There is an i such that z$ = Zi+\ = . . . = Zi +S ^\ = 
0, where the indices are computed modulo m, i.e. we view d as a "cyclic" vector. 
If v — (viV i+1 . . . Vj) is a substring, we say that the indices i, . . . ,j are contained 
in v. 

By the following algorithm we construct a subvector w of d such that |5"(w)| is 
odd. Therefore, (J22)) is not satisfied. 

Algorithm 

Input: binary vector d = (z m -i, z ) of weight z = 2™, n G N, m odd 
Output: subvector w of d such that |5(w;)| is odd 

(1) I :— maximum length of a run in d; 

s := multiplicity of a run of length / in d; 
v := run of length /; 
Sold ■= m + 1; x id := 0; 

(2) while (w is not defined) do 

(3) y := (Vm-i, ...,J/o) with 

{1 if z is contained in a substring t> and Zj is 1 
otherwise. 

(4) if z ^ I ■ s then iw := y; end if; 

(5) if z = I ■ s then 

x := minimum length of a gap between two substrings v in y; 
L := gap of length x; 
if s — 1 then 

(6) if s i,i = m + 1 then w := J— (0...010); end if; 

(7) if s i d ^m+l then w := (0...0v o i d L old v old ); end if; 
end if; 

(8) if s = 2 then w := (0...0uLu); end if; 

(9) if s > 2 then 

•s «d := s; l id := i; x i,i := x; L \d '.— L; v \d := v; 

let w denote a substring of type (v idLv id...Lv id) in d 

with maximum number / of l's; 
v := (v i d Lv old ...Lv i d ) with u oW occurs Z/Z oW -times; 
s := multiplicity of v in d; 
end if; 
end if; 
end while; 

The algorithm terminates if z ^ I ■ s or s < 2. Note, if the case z ^ I ■ s does not 
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occur then such an s exists because < s < s Q id in each step of the algorithm. 

Line (4): If z ^ l-s, i.e. y ^ d and w = y is a subvector of d. We have ^(w)! = 1, 
because none of the cyclic shifts in® ^ w is a subvector of d. Suppose the vector 
with it?w ^ u; is a subvector of d. Note, that w and have the same 
number of 1. If w^' ^ w, then there exists a 1 in J and this 1 is in and not 
in w. Because u)W is a cyclic shift of w, this 1 is in a string v, therefore this 1 is 
in w. This is a contradiction to the definition of w. 

Line (5): If z = I ■ s, then I = 2 1 ' and s = 2 s '. We call the gaps Lj, j — 1, s 
between the runs v. Now we know, that d has the form 

d = (L s vL s -iv...L2vLiv). 

If s > 1, the number of gaps is even. Since m is odd, the number of gaps with odd 
length and the number of gaps with even length is odd. Therefore the maximum 
and minimum gap have different length. Note by the choice of d e D to be odd 
it follows that L s is one of the maximum gaps and has length > x, the mimimum 
length of a gap. 

Line (6): If z — I ■ s with s — 1 and s D id — m + 1 then I > 4 and d = (0...01...1). 
For w = d- (0...010) we have \S(w)\ = 1. 

Line (7): If z — I ■ s with s — 1 and s Q id ^ m + 1, then > 4. The vector J has 
the form 

(J = (L s t>) = (L Sold v i d Lv i d ...Lv old Lv i d ), 

where L is the gap of length x i d . We obtain ^(iu)] = s i d — 1 is odd. 

Line (8): If s = 2, then is d = (L2VL1V). The gap L2 is longer than the gap L\. 
It is easy to see that ^(u?)! = 1. 

Line (9): The new initialisation for the next while loop. q 

We illustrate the algorithm with an example. Here we have m = 23 and d = 
1 + 2 2 + 2 4 + 2 7 + 2 9 + 2 11 + 2 15 + 2 17 . 

Input: d = (00000101000101010010101) 

(1) z := 8; / := 1; s := 8; v := 1; s i d := 24; x oU := 0; 

(3) y := d; 

(5) x:=l;L:=0; 

(9) s id '■= 8; i id := 1; x u := 0; L \ d := 0; := 1; 

y = foooooioiooo ioioi oo ioioi ); 

/ : = 3; u := 10101; s := 2; 

(3) y := (OOOOOOOOOOOwOOw); 

(4) w := y; 

Output: w := (00000000000101010010101). 
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